# {{ ansible_managed }}
# Manual customization of this file is not recommended.
# {{ groups['fileserver'] }} {{ groups['yumrepo'] }}
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]

{% if inventory_hostname in groups['fileserver'] or inventory_hostname in groups['yumrepo'] %}
-A INPUT -p tcp  --dport 80 -j ACCEPT
-A INPUT -p tcp  --dport 8080 -j ACCEPT
{% endif %}

{% if inventory_hostname in groups['registry'] %}
-A INPUT -p tcp  --dport 5000 -j ACCEPT
{% endif %}

{% if inventory_hostname in groups['portal_db'] %}
-A INPUT -p tcp  --dport 5432 -j ACCEPT
-A INPUT -p tcp  --dport 6379 -j ACCEPT
{% endif %}

{% if inventory_hostname in groups['node'] %}
-A INPUT -p tcp  --dport 27017 -j ACCEPT
-A INPUT -p tcp  --dport 8080  -j ACCEPT
-A INPUT -p tcp  --dport 8090  -j ACCEPT
-A INPUT -p tcp  --dport 9088  -j ACCEPT
-A INPUT -p tcp  --dport 9098  -j ACCEPT
-A INPUT -p tcp  --dport 10086 -j ACCEPT
-A INPUT -p udp  --dport 161   -j ACCEPT
-A INPUT -p vrrp               -j ACCEPT
{% endif %}

-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
